Editions

Based on Mandrake 10.x, but valid for all distributions.
Very thorough. Includes package description, where to get the sources and binaries,
how to build them or which RPMs to use, includes many refrences, etc etc.
Starts off with a basic working server, then advances, extends and tightens it in stages.

Requirements

Hardware:
A computer to be the server.
Processor and memory requirements are low.
Disk space is relevant to what mail you expect to keep,
Range between <1Gb to 200GB.
Need network acces direct to the outside world or
ports forwarded through to it.

Software:
None, apart from an ubuntu cd or a pre installed system.

Skills:
You do not need to be a guru, as it is not advanced.
However some linux skills is desired,
and knowledge of the risks of leaving ports
exposed to the outside world.

Research

Dont take my word for it!
Research others opinions and methods.
Look at my references,
look at Postfix.org's howtos,
read the excellent books available
(E.g. Kyle's or Hildebrandt's),
search the web or read the proper
documentation.

If you refer to this howto in your own document,
or find usefull links, then
let me know.

Author

I am Ivar Abrahamsen,
a 29 year old software engineer from Norway, but based
in Manchester.
I use Linux a lot, though I am not a guru.
My general intrests are sports, technology
and my better half.

Why have I written this how to?
I set up my mail server in 2003,
and then did the same for a few friends and collegues.
Soon I was getting more request,
and being a lazy programmer, I thought..
"Why don't I write a howto and let them do it themselves..."
Soon it was listed on postfix.org
and I was getting thousends of hits and
lots of emails. (blessing in disguise)

See the contact
section for how to discuss this howto
and how to contact me.
Send me a note if
you found this usefull.
If you use this for commercial purposes,
then why not donate a few quid?
(Remember to respect the licenses involved)

Software

What software packages have/will I use and why.

OS: Ubuntu Linux

Ah the age old distro argument...
Thankfully this set up should work on most distros.
I used to base this howto on Mandrake(now Mandriva),
and I started this new edition on a Gentoo box.
But I don't have the patience for Gentoo,
nor the money to stay with Mandriva Power editions.
Why Ubuntu? Its free, simple and slick.
As Ubuntu is derived from debian the installations
used here will be apt-get based.
Please refer to my other editions for details on RPM
or source based installations.

Free virus scanner that can be trusted and includes update daemon.

Authentication: Cyrus SASL

Secure and trusted crypthography technology
for authentication of SMTP traffic.

PostGrey

Postgrey is an excellent little script to stop 99% of all spam.
All it does is on first contact for specific from-to combinations,
tells the sender server to try again in a little while,
which most spammers cant afford to do.
When proper servers try again after a few minutes it lets it through.

Encryption: TLS

Secure and trusted crypthography technology
for encryption of SMTP traffic.
Not too be confused with client encryption technology
like GnuPG and S/MIME. They are covered in the
extend section.
Formerly referenced as SSL.

WebMail: SquirrelMail

Easy to set up php based web mail client.

Please see software links appendix for further information
about these software packages. In that section there is more links to
documentation or forums, and viable alternatives, downloadable packages, versions details etc.

Install

Distro

This section is different for every distribution and for every version.

This howto is based on Ubuntu and its base of debian which uses apt-get.
Therefor this section uses apt packages to its fullest.

For other installation method please refer to the
software and the
software links
and your own distribution
for the documention for other ways of installing.
My 2nd edition(outdated) has instructions
for Mandriva, general RPM and tarball compiling.

To follow the rest of this howto, you need to ensure all your
packages have been installed with the same modules,
E.g MySQL lookup on postfix and sasl, php in apache etc.

I have set up mail servers using the 32bit and 64bit x86 platforms,
however if all the packages are available then other,
E.g. Mac platforms should work too.

Base

Upon installing Ubuntu you have a choice of which base system to install.

The default, ie the one chosen when you just hit enter when promted
right at the start, is the basic desktop flavour.

Another useful one is the server base.
It only includes the absolute minimum of packages,
so is quite usefull if you are only to use it remotely.
Since Breezy it also available as a smaller iso download,
or by using the normal cd by hitting F1 instead of enter
and writing server on the prompt.

This howto have been used with both bases,
the server base will need some more dependancy packages thats all.

Packages

Here is a list of packages needed, and what they provide.
Some are required by several of the software,
some might not be needed if you are not fully
following this howto.
Please note the extended section require
further packages.

OS

shorewall

openssh-client

openssh-server

Ive included the Shorewall firewall.
A firewall is not required, but recommended.
Obviously you can use another firewall,
but Ill assume you have chosen Shorewall.
A SSH server is not required either, but essential
if you need to administer or test the server remotely.

MySQL

mysql-common

mysql-client

mysql-server

libmysqlclient12

MySQL 4 is required by many of the packages,
so install it first.

TLS

openssl

SASL

libsasl2

libsasl2-modules

libsasl2-modules-sql

libauthen-sasl-cyrus-perl

libauthen-sasl-perl

libgsasl7

The SASL packages have changed for Breezy.
Im investigating the differences.
The * packages I have from hoary repositories.

Postfix

postfix

postfix-tls

postfix-mysql

postfix-tls is as of breezy part of the postfix package,
however if you are not using breezy then you must
install postfix with included tls features.

Courier-IMAP

courier-base

courier-authdaemon

courier-authmysql

courier-imap

courier-imap-ssl

courier-ssl

If you require pop access then you'd want
to install the pop packages as well.

amavis-new

amavisd-new

Spam Assassin

spamassassin

spamc

ClamAV

clamav-base

libclamav1

clamav-daemon

clamav-freshclam

Postgrey

postgrey

There is also a postfix-gld
however I am using the postgrey one till I fully tested the other.

phpmyadmin

Procedure

Now you might not want to install all the packages in one go,
perhaps better to group them by each software or a few together.

If you want to find additional packages,
you can do a quick command line search for packages,
by useing this command:

Please note you should run most of these commands via sudo.
I just havent prepended all the commands with it.

apt-cache search postfix

To find out what you might already have installed:

dpkg --list | grep postfix

Then when you have the package list do this to install

# add -s to do a test run# or -d if you just want to download the packages and do the install later
apt-get install package-name, another-package-name, etc

Some of the package installations will prompt you for input,

Postfix will ask you what type of server to create.
I just say "Internet Site" as we will be changing most configs anyway.
It will also ask for the fully qualified name of your server.
The clamav installation may ask whether to create directories etc.
Courier will ask to install web admin, which I dont't need,
and that it will install TLS encryption which is good.

Many of the packages also require further dependant packages.
So the final package list is quite large.

OS: Ubuntu

The most important setting, security wise,
is to configure the firewall.
This off course varies between firewalls,
your usage.
Shorewall main config files in /etc/shorewall
that we are concerned with, are
interfaces, hosts, zones, policy and rules.

Here is a typical rules file for a mail server

SMTP access from everywhere is commented out,
untill we are confident everything is working
and secure.
Also commented out for now is IMAP
and TLS SMTP traffic untill we need it.
You might enable SSH from the tinternet if you want.

Then edit /etc/default/shorewall and turn it on.

MTA: Postfix

Postfix resides in /etc/postfix.
Postfix is by default set up in a chroot jail.
This is a security procedure and is very good feature.

However when setting up the server the chroot may be
a problem, so keep it in mind if someting don't work.
In master.cf there is a column which decides
which modules are run within the jail restrictions.
Hopefully you don't have to change these settings.

In main.cf you define how Postfix shall operate.
Each distribution have different defaults for these settings,
however most are similar, so you should not need to worry, but be aware of it.
These default are defined in the postfix installation folder,
which probably is somewhere in /usr.
Most distributions also set up some suggested defaults in
the main.cf. Edit this file, note the suggestions
and then comment them out.

First set your server name,
this must match what you put in your domains DNS MX records.

myhostname = server.yourdomain.com

Then decide what the greeting text will be.
Enough info so it is usefull,
but not divelge everything to potential hackers.

smtpd_banner = $myhostname ESMTP $mail_name

Next you need to decide whether to send
all outgoing mail via another SMTP server,
or send them yourself.
I send via my ISP's server,
so it has to worry about the queing etc.
If you send it yourself then you are not reliant
on 3rd party server.
But you may risk more exposure and
accidentally be blocked by spam blockers.
And it is more work for your server.
Also many servers block dynamic dns hosts,
so you may find your server gets rejected.
However choose whichever you are confortable with.

# leave blank to do it yourself
relayhost =
# or put it an accessible smtp server
relayhost = smtp.yourisp.com

Next is network details.
You will accept connection from anywhere,
and you only trust this machine

inet_interfaces = all
mynetworks_style = host

Next you can masquerade some outgoing addresses.
Say your machine's name is "mail.domain.com".
You may not want outgoing mail to come from
username@mail.domain.com, as you'd prefer
username@domain.com.
You can also state which domain not to masquerade.
E.g. if you use a dynamic dns service,
then your server address will be a subdomain.
You can also specify which users not to masquerade.

As we will be using virtual domains, these need to be empty.

local_recipient_maps =
mydestination =

Then will set a few numbers.

# how long if undelivered before sending warning update to sender
delay_warning_time = 4h
# will it be a permanent error or temporary
unknown_local_recipient_reject_code = 450
# how long to keep message on queue before return as failed.# some have 3 days, I have 16 days as I am backup server for some people# whom go on holiday with their server switched off.
maximal_queue_lifetime = 7d
# max and min time in seconds between retries if connection failed
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
# how long to wait when servers connect before receiving rest of data
smtp_helo_timeout = 60s
# how many address can be used in one message.# effective stopper to mass spammers, accidental copy in whole address list# but may restrict intentional mail shots.
smtpd_recipient_limit = 16
# how many error before back off.
smtpd_soft_error_limit = 3
# how many max errors before blocking it.
smtpd_hard_error_limit = 12

Now we can specify some restrictions.
Be carefull that each setting is on one line only.

In my client restrictions I specify some spam detection servers.
These are call RBL: Real-time blackhole list.
They check if the connecting server is a known open relay used by spammers.
Some argue these should not be used in the postfix configuration,
as there are some false positives.
And SpamAssassin uses rbl checking,
but as part of its scoring system, so it is not all black and white.
I added som warn_if_reject parameters.
They basically dont reject the email but warm if they would normally have.
Which makes it a nice way to test features.

Further restrictions:

Next we need to set some maps and lookups for the virtual domains.

# not sure of the difference of the next two# but they are needed for local aliasing
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# this specifies where the virtual mailbox folders will be located
virtual_mailbox_base = /var/spool/mail/virtual
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
# and their user id
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
# and group id
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
# and this is for aliases
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
# and this is for domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
# this is how to connect to the domains (all virtual, but the option is there)# not used yet
# transport_maps = mysql:/etc/postfix/mysql_transport.cf

You need to set up an alias file.
This is only used locally,
and not by your own mail domains.

cp /etc/aliases /etc/postfix/aliases
# may want to view the file to check if ok.
# especially that the final alias, eg root goes
# to a real person
postalias /etc/postfix/aliases

Next you need to set up the folder
where the virtual mail will be stored.
This may have already been done by the apt-get.
And also create the user whom will own the folders.

Edit /etc/postfix/mysql_domains.cf

As you can see the 3 first are very similar,
only the select_field changes.
If you specify an ip in hosts,
(as opposed to 'localhost')
then it will communicate over tcp
and not the mysql socket. (chroot restriction)

Database: MySQL

Next we need to setup all those lookups specified before.

First you need to create a user to use in MySQL.
Then you need to create the database.
And unless you already have done this,
make sure you have set a password for the root user!

# If not already done...
mysqladmin -u root password new_password# log in as root
mysql -u root -p
# then enter password for the root account when promptedEnter password:# then we create the mail database
create database maildb;
# then we create a new user: "mail"
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
ON maildb.* TO 'mail'@'localhost' IDENTIFIED by 'apassword';
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
ON maildb.* TO 'mail'@'%' IDENTIFIED by 'apassword';
exit;

You need to create these tables:

aliases

domains

users

We will create more later on for further extensions,
but only these are relevant now.

The last few fields are not required,
but usefull if you extend later.

Next is to edit the my.cnf file.
In Ubuntu/debian this is created by default.
In Mandrake I had to manually create a blank one in /etc.
In ubuntu edit /etc/mysql/my.cnf

## In Hoary you needed to comment out this line
#skip-networking
## however in breezy this has changed to
bind-address = 127.0.0.1
## which is fine## Make sure this is set
log = /var/log/mysql/mysql.log
## Then in a few weeks comment it out
## when everything is working, as it slows mysql down

By this you have enable net access to MySQL,
but you still control whom connects to it
with your firewall and user settings in MySQL.
You may be able to just connect straight to the socket which is more secure.

# restart MySQL to make sure
# its picking up the new settings.
sudo /etc/init.d/mysql restart

Edit imapd

# set how many connections to use per person.
Easy to underestimate if you have 6 mailboxes set up.
MAXPERIP=20
# high debug to start with
DEBUG_LOGIN=2
IMAPDSTART=YES

Then edit the same in the
pop and ssl options,
if you are going to use them.

If you have followed these steps properly,
you should now have a working mail server.
You can skip down to the
data and then
test stage
to see if your server works as intended.
It is not secure and is suceptable to spam,
so do follow the other steps soon,
but it is nice to find out that it works!

Content Checks: Amavisd-new

As of dapper release this is now seperated across several config files in /etc/amavis/conf.d.
If you have an old setup, rename /etc/amavis/amavis.conf to eg amavis.conf.disabled
Quick edit is to add your changes to a 50user file within /etc/amavis/conf.d.
Thanks to Donald Goodman for the 50-user tip.
More information in the wiki
The important configurations are:

Then in av_scanner section you enable/disable
the virus scanners you are going to use.
We will be using ClamAV,
so comment out all lines between @av_scanners(
and its closing bracket.
Do the same for @av_scanners_backup.
Then in @av_scanner uncomment Clam lines,
(maybe lines 1232 to 1235).

Then you need to check that the $TEMPBASE
folder exists and is ownder by the $daemon_user.
The same goes for the virusfolder.

# You may have to do this
cd /var/lib/amavis
mkdir tmp
chown virtual:virtual tmp
chown virtual:virtual virusmails
# and maybe this
chown -R virtual:virtual /var/run/amavis

The init script for amavis insist on the ownership
of these being the "proper" amavis user and group.
As we need it to be the virtual pair,
we need to edit the /etc/init.d/amavis script.
(Unless someone has a sweeter, more correct way.)

Next thing is to specify how to connect to the content check plugin.

Edit master.cf in /etc/postfix,
The changes I have made from the default master.cf is
modifying two lines then addding three more services.
(Please note lines starting with -o needs to be either tabbed or
double spaced as they belong to line above it. )

Then edit main.cf in /etc/postfix and add these lines.

Anti-Virus: ClamAV

ClamAV do not need a lot of setting up.
You need to make sure it is run by the same user as the amavisd-new.
And then you may configure the fresclam option,
which makes sure you have the latest virus definitions.

Edit /etc/clamav/clamd.conf and change the user to the amavisd-new user or
the other way round.

# User clamav
User virtual

Then change ownership of its runtime folder

chown virtual:virtual /var/run/clamav

Edit freshclam.conf

# how frequent per day. default is once an hourwhich is a bit excesive.
# once per day should do.
Checks 1

Anti-Spam: Spamassassin

SpamAssassin's default settings were fine,
but you can tweak them at /etc/spamassassin/local.cf
and review the defauls at /usr/share/spamassassin/.
E.g. you can in/decrease the levels needed before emails are
marked as spam and before rejections.

If you notice too much spam is being let through,
then do more tweaking. If you get too many false postives,
ie real emails marked as spam, loosen the set up slightly.
A properly configured SpamAssassin should catch 97% of all spam.
With probably 1 in 1000 false positives.

The SpamAssassin
site has a lot of information on setting it up.
It is worth a good read through.
Some usefull tips are automatic learning,
cronjobs to learn user marked spam and ham, etc.

PostGrey

Adding Postgrey to this mail set up is a breeze.
Thanks for the emails I got on postgreys benefits and integration.

Ubuntu's extended repositories has a postgrey module,
which installs the scripts and sets up a /etc/postgrey whitelist configuration.
You can edit these files, but I don't bother.
You may want to any back up mx server you use, if you do.

Authentication

Cyrus SASL provide a secure method of authenticating users.
This type of authentication is required by two methods,
one is by postfix when sending email
and the other is by Courier when reading emails.

If you need Pop, modify the pop file as well.

Encryption

SASL is secure authentication, but all the traffic is still in plain text.
Enter encryption and TLS. TLS, an evolution of SSL, encrypts the traffic
between the server and your email client for sending via postfix
and reading via courier.

TLS is not client encryption,
ie encrypting the content all the way
between sender and recipient.
For this type look up GNuPG and S/MIME in
extensions.

First you need to create a certificate for postfix and one for courier.
In postfix you need to do this for 3 year certificate:

These ports are required for clients not able to use
the STARTTLS option on plain port 25.
Port 465 (the smtps line) is an unofficial workaround,
so clients E.g. Novel Evolution,
uses it untill they fix their software to work with STARTTLS.

The debian packages in Ubuntu creates certificate for courier for you.
Otherwise do this (in case server name is not same as machine name):

Then edit /etc/courier/imapd-ssl
and make sure this is path to the certificate.

TLS_CERTFILE=/etc/courier/imapd.pem

This will enable secure traffic of emails via your clients
and the server.
As these are not signed certificates,
some may be prompted to accept license.
You could get people to import your certificates,
if only a few is accessing you imap/smtp server,
or purchase a signed one if you have a large number of users,
especially if corporate.
Outlook is known as stuburn to accept the certificates.

There are some issues with using SALS and TLS at the same time.
Since all the traffic is encrypted with TLS,
then the need for SASL is less when enforcing TLS.

Webmail: SquirrelMail

The squirrel is php module from sourceforge.
Once installed in a web root somewhere
go to its parent folder.
E.g. /var/www/.
In Ubuntu it is installed in /usr/share, so do this first.

ln -s /usr/share/squirrelmail /var/www/squirrelmail

Next thing is to set up a url to access squirrel mail.
You can either have it as a subfolder in an existing web site,
or as I prefer as virtual host for itself.
Edit wherever your specify virtual hosts on your system,
( e.g. /etc/httpd/conf/vhosts/ ).
In Ubuntu edit this file: /etc/apache2/sites-available/webmail

Then will enable and activate it.

The config folder is actually symblinked to
/etc/squirrelmail so if you run several instances of
squirrelmail you might want to create copies of it.

SquirrelMail is configured with 3 config files.
config_default.php is well commented and
is sets up the default values. Do not edit it.

config.php overrides the defaults.
Do not edit this one either as it is created by
the conf.pl perl script.

Finally conf_local.php can be edited
and it overrides the others.

To configure squirrelmail, run the perl script.

/var/www/squirrelmail/config/conf.pl

It is menu driven, and powerfull so be carefull.
Also make sure there are no extra spaces before or
after any settings.
Chose option 9 from the menu, the database option.
Then 1 to edit the dns for address book.

# Enter this
mysql://username:password@127.0.0.1/database

Then choose 3 for the preferences and enter the same.

mysql://username:password@127.0.0.1/database

There is also a global address option if you choose to use it.
Press s to save the settings, and r to return to main menu.
Press q to exit.

Here is copy of my config_local.php.
Read the default file for explanations.

Then you need to create these database tables,
My previous editions included the squirrelmail specific
tables in the main mail database.
However I believe a cleaner setup is to have seperate
squirrel user and database for its settings.

First create a new squirrel database user,
or reuse the mail user.
See the MySQL section
for user creation details.

Then create a squirrel database
or reuse the mail database.
Make sure the user created above
has usage access to this database.
Again refer to the MySQL section.

Right then, as the squirrelmail suggested,
you can try of this works later on by going
to
http://your-squirrelmail-location/src/configtest.php
( Please note you may not have any data or mail to test it with yet.
so perhaps wait till test section. )

phpMyAdmin

PhpMyAdmin is an excellent MySQL administration gui.
I use it to manage my mail settings,
and can be used when setting up the MySQL database as well.

# cd into web root where phpMyAdmin is installed, e.g. /var/www # Again in Ubuntu a soft link is needed to /usr/share# this time however the apt-get has done it for you. (check though)# If the folder contains the version in its name.
# do this for ease of access and if later upgrading
ln -s phpMyAdmin1.6.2 phpMyAdmin

First of all once you have installed phpMyAdmin
is the create a .htaccess file in its folder.
Otherwise every Tom, Dick and Harry can mess your system up.

# either reuse an old .htpasswd file# or as below , create one when you add the first user
htpasswd2 -c /path/to/htpasswd/file/outside/www/.htpasswdausername# then enter desired passwd

Next you need to either create a .htaccess file
or modify one, as Ubuntu comes with one included.
I add these settings to my apache virtual host config file,
but that is not neccessary.
Make sure the apache config for this host has
AllowOverrid All in its settings.
Add these to
/path/to/phpmyadmin/.htaccess.
You may need to comment out some existing settings as well,
but see which causes errors.

Next is to edit /path/to/phpmyadmin/config.inc.php.
Set the $cfg['PmaAbsoluteUri'] to whatever address and path
your phpMyAdmin is.
Then set up what servers to connect to.
You can add the root user for easy admin of the whole system,
but that is a bit insecure.
Adding a different user with full access is a better solution,
if you require full admin through the gui.
However for the mail admin, neither is required,
all you need to add is the mail user.

Then a root user.

Now lets add some proper data.
Say you want this machine to handle data for the fictional domains
of "blobber.org", "whopper.nu" and "lala.com".
Then say this machine's name is "mail.blobber.org".
You also have two users called "Xandros" and "Vivita".
You want all mail for whooper to go to xandros.
There is also a "Karl" user, but he does want all mail forwarded
to an external account.

So what does each of these lines do?
Well the domains are pretty straight forward.
The users are as well, it requires four fields.
ID is the email address of the user, and also its username
when loggin in, described later on.
NAME is optional description of the user.
MAILDIR is the name of the folder inside /var/spool/mail/virtual.
It must end in a /, otherwise it wont be used as a unix maildir format.
CLEAR is the clear text password to use.

The alises are the interesting part.
Lets start from a top down view.
Say an email arrives addressed to "john@whopper.nu".
Postfix looks up aliases and searches for a row where the mail
field matches "john@whopper.nu".
None does so it next searches for "@whopper.nu",
which is the way to specify catch all others for that domain.
It finds one row and its destination is "xandros@blobber.org".
It then searches for "xandros@blobber.org"
and finds one, which destination is the same as the mail,
therefor it is the final destination.
It then tries to deliver this mail. The look up says blobber.org
is a local mail so it looks up users for a matching id and delivers it
to its maildir.

Lets try "julian.whippit@lala.com".
First lookup does not find this user,
but the next finds the catchall "@lala.com".
But its destination is another catchall, "@blobber.org".
This means Postfix will look for "julian.whippit@blobber.org".
This address is not found either, nor is a catchall for blobber.org.
Therefor this address is not valid and the message will be bounced.

Any mail arriving for "karl@blobber.org" or "karl@lala.com",
gets forward to an external address of "karl.vovianda@gmail.com".
So forwarding is simple. I tend to use a subdomain for all my friends
addresses as easily I forget what their real addresses
are, and I use different email clients all the time.

I also added the required aliases of postmaster and abuse to
blobber.org and whopper.nu. The catchall for lala.com
means they are not required for that domain.
You can add them though if you do not want xandros
to get the admin emails.
Another usefull alias to add is root,
as often you get admin mail from e.g cron jobs within
those domains etc.
Other often used aliases are info, sysadmin, support, sales,
webmaster, mail, contact and all.
But they are also honeypots for spam,
so just include the ones you think you will need.

Find all aliases for a certain domain

Test

This is a small and simple section,
but this will be the one you spend the longest on!

There will be spelling errors(by you and me), difference in setups,
external factors etc, so this server is guaranteed not to work first time.
Great eh?

But don't worry, we can quickly track down which section is at fault,
and solve the issues one by one.

I hope you blocked external acces to your SMTP port (25)
in your firewall setting.
Otherwise you might have become an open relay for spammers.
(Okay unlikely unless you have been running exposed for a few weeks).
You will have to unblock it soon, but not yet.
Lets first be 100% sure the system works, so only local access
to SMTP should be allowed for now.

We will test each section bit by bit to black box certify each bit.
First test that postfix delivery works
(by exluding content checks and ignoring courier).
We will check if it can connect to MySQL for its lookups,
if maildir are created and if it can send messages.
Then we'll re-enable content checks to see if they work.
Then we start testing courier,
see if it can access MySQL and if it shows the right mailboxes.

The easiest way to do the testing is with telnet.
Turn on full debuggon, tail a few logs a lets get started.

Then in main.cf comment out this line:

#content_filter = amavis:[127.0.0.1]:10024

Then we'll tail the mysql and postfix logs. (Paths might differ).
It helps being in X windows,
or ssh in from another machine, if no X server.
Or just using different sessions (ctrl+alt+f1-6),
as we will be tailling and editing in many sessions at once.

# In one window do this
tail -f /var/log/mysql/mysql.log
# then in another
tail -f /var/log/maillog.info
/etc/init.d/mysqld start
# then
/etc/init.d/postfix start
# then check if postfix is listening on 25 and mysql on 3306
netstat -tnp

Okay up and running (hopefully).

First we will telnet in and try and send a message to a local user.

Then we will try and send to an external user via postfix.

# Lets try and send a message to xandros@lala.com# (replace with your own user in this setup, or use postmaster@localhost)
telnet localhost 25
# reponse back:>>># then open the hand shake with ehlo and the server name you are connecting from...
EHLO mail.domain.tld>>># then say who is the sender of this email
MAIL FROM: <your@address.com>> 250 Ok# then say who the mail is for
RCPT TO: <xandros@lala.com>
> 250 Ok
data
> 354 End data with <CR><LF>.<CR><LF></LF></CR></LF></CR># enter message bodyand end with a line with only a full stop.
blah blah blah
more blah
.
> 250 Ok; queued as QWKJDKASAS# end the connection with
quit
> 221 BYE

The postfix log should then start showing up what is happening.
If something happens in the mysql log,
it means that connection if working.

Possible problems and solution can be:

Nothing happens when trying to connect via telnet.

Ports are not listening.

Check with "netstat -ptn" if postfix is listening.

Firewall blocks all smtp traffic.

You are testing from a different machine which cant reach the server.

Sender domain not accepted.

You must use a valid domain name and address when connecting via telnet.

Change the EHLO and MAIL FROM details when telneting.

DNS resolution might not work from server. check if it can ping google.com etc.

Postfix queue says it has received the message.
But noithing happens in the Mysql log.

Mysql connection is not working.

Check file permission in postfix folder

Chroot problem, set all services in master.cf to n in chroot column

Check if mysql socket exists

Try changing host in the postfix mysql files between localhost, 127.0.0.1 and real ip. This will result in it trying socket and tcp alternatively.

Spelling mistake in postfix mysql files. (Extra spaces?)

When all these test are working fine, re-enable the content checks
and try them all the tests again.
This time you might have to tail the syslog as well.
Possible problems can be:

If a response then all is well.
Otherwise check ownership of /var/run/amavisd.
Perhaps change /etc/init.d/amavisd to make
sure it chown to virtual:virtual

debug_peer_list = 127.0.0.1

Now if all okay internally, then you need to edit the firewall rules
and re-enable smtp access from the net.
Test from an external server if you have ssh access.
Proper telnet testing will let you know quickly if something is wrong.
When that process works okay, it is time to test with proper emails.
Either use an external webmail service, e.g. gmail,
or forward via external mail forwarding services.

Doing a full reboot to test if everything comes up as desired
is probably a good idea as well.

Congratulations, you have a working mail server!
Now send me a note to let me know about it.

Then restart shorewall

Database (MySQL)

MySQL should work fine after installation and configuration.

However as we go through the other sections,
it is very usefull to tail the mysql query log file
throught all the tests.
This is an easy way to see if each application
has its database settins configured correctly.

Some of these sections can be brief as they
are not core to this howto.

Remote MX mail backup

With MX backup loosing emails are unlikely.

Normally if someone sends an email destined for you,
their server will try and connect to your server.
If it can't reach your server for whatever reason
( it is down, dns issues, there is network problems, or just too busy ),
the other server will back off and try again in a bit.
How many and for how long it will try again is determined
by the sending server. Some of them are not very patience,
and it will report undelivered after only a few attempts.
So you would have lost that email.

If you had specified a backup MX,
this email may not have been lost.
Upon first failure to connect to your server,
the sender would see if there is any alternative server
to send to. So it connects to your backup mx server.
This server spools and queues your message
and will try at intervals to send the message to you.
It too will though eventually give up.

What is the difference?
Simple, you (or whoever controls the backup mx )
is in control how long and often to try connecting
to your machine.
So if you have a reasonable values and your server
is not down for weeks, no mail is lost.

How to implement it?
First edit the DNS records again,
and add a backup mx with a higher value.

Then still on the backup server,
edit main.cf and add these:

You may choose to have this as the last line in the file,
as you may use small cron jobs to modify this ip address,
if you don't have a permanent static address.
It should contain your IP addres, hence if you do not
have a very static IP address, that you need to
automatic editing if the postfix file.

Next create this file /etc/postfix/mysql_transport.cf

You noticed I added a transport lookup.
This is a field in both the domain and the backup tables.
In domains it is used to determine how to deliver
the email, ie either virtual (correct) or local
(not used in this howto).
When backing up servers, your also need to specify
in the transport field how to connect to the correct servers.

Say you are backiup for a friends server, mail.friend.com,
for the domains of friend1.com and friend2.com.
So you should insert this into your backup table.

The :[] tells to connect directly to this server,
not doing any more look ups for valid MX servers.

This shouls now work fine.
Further tweaking of the queue values,
review these and modify as appropiate.
Shorter warning times are good for the sender,
so that they realise the email has not arrived yet,
but may also be annoying. Tradeoffs..
Look in the first main.cf configurations
for ways to do so.

Local file backup

Here is rough backup script to backup your configurations
and mail folders.
You may want to backup the folders seperatly
as they can quickly grow to GBs.
Adding this to a cronjob automates this process.
Be aware that you should
stop postfix and courier while backing up the
mail folders. And that if they have grown large,
that this may take some time.

Sender ID & SPF

todo

Further security features is using Microsoft's
Sender ID or Pobox's SPF. I'd use SPF as
there is much argument over Sender ID.

While SPF should limit who can send mail on behalf of your domains,
( so basically less spoofed spam addresses ),
I do have some technical issues with SPF as
the design of it is a bit iffy.
That is because of the limitation of DNS and that it
has to fit inside the limited TEXT part.
No nice XML config file....

While Microsoft is not always entirely evil,
as sometimes they do nice things
and make some usefull software,
I would prefer not to be locked into
their Sender ID technology.

White/Black Lists

todo

You can implement further lists inside Postfix or SpamAssassin.
Amavisd-new already has a few well known white/black listed items
in its config files.
SpamAssissin also as a feture to automaticly learn white lists.

PGP & S/MIME

This is not implemented on the postfix server side,
as this totally a client side option.

However SquirrelMail has a GnuPG option.
It is a plugin that can be downloaded from their website.
Which can then be enabled via SquirrelMail's
config script.

Here is how to create a GnuPG key pair.

# check you have not already got a key
gpg --list-keys
# then create one
gpg --gen-key

To import GnuPG into Evolution;
in your settings/preferences
edit your account settings and
add you private key under the security tab.
The private key is found via listing the GnuPG
keys as above, then it is the 8 characters
after the "sub 1024g/" bit of you key.

Throttle Output

todo

For some users with restrictions on bandwidth,
you may wish to control how much mail is sendt out.
Postfix has long refused to implement these features,
out of ideolocial beliefs that mail servers should
not be restricted.
However there are some ways around this.
More to come later.

Downloads

Here is a list of config files to assist you and some
batch shell scripts to try and do the install steps for you.

None at this moment.

Please note, they are not guaranteed to work.
You should review them to make sure they will work for you,
and that I am not doing something bad, or misspelt or forgot something,
and so that you understand how they work.

Contact

They are threads on
Ubuntu forums web site.
You have a high chance of a reply and a proper discussion
about it if you post there as many people can answer.
The threads also include helpful many tips and previous answers.

If you have written extensions or can recommend links then
I would like to hear from you.
I also do like to hear from people who are happy with this howto.
Please then use the form below.

It is nice to hear from people, however I only check that mailbox once a month, if that,
so please dont't expect a reply, especially not a very quick reply.

( Remember, if it is a technical question,
then post in the forums.
If you send questions directly to me via the form, email or pm,
they will unfortunetly mostly be ignored. )

If you really felt this howto was usefull,
then here is my wish list:
wishlist.sf.net/users/flurdy/.
Or use the Paypal donation button in the introduction.
Please note this document is free, as in beer and speech,
using an open source license,
and I am not expecting many, if any, donations.

Form removed due to too much spam,
and people ignoring my request to ask
question in the forum and not by mail.
It may be reinstated once I've implemented a better form spam catcher.
Use this form if you have to,
but questions will still be ignored...
:)